Re: Ncrack imap+pop3 module patch

[ithilgore <ithilgore.ryu.l () gmail com>]

On 02/05/2010 02:53 AM, Bucsay Balázs wrote:
> Hi!
>
> Tonight i made one patch to the ncrack (from svn). Now it supports
> IMAPv4 and POP3, of course with ssl too.
> You can download it from here:
> http://rycon.hu/tools/ncrack-0.01ALPHA-SVN-pop3imap.diff.gz
>
> If you want modify it, and merge it to the orginal source.
>
> I hope you can use it :)
>
> Balázs Bucsay
> http://rycon.hu/


I just went through your code more thoroughly.
Here are the points that need further inquiry and modification:

1) Use of the con->iobuf system is deprecated. It will be completely
removed once I get rid of it in the telnet module. The latest version of
Ncrack uses two distinct buffers for I/O: inbuf for incoming data and
outbuf for outgoing data. The latter is essential due to the way Nsock
works. It is wrong to give nsock_write a buffer that has been allocated on
the stack and that will have already died out of scope when the internal
nsock handlers operate on the buffer. The buffer needs to be dynamically
allocated and a pointer to it must be given to nsock_write() as argument.
Hence, the need for a separate outbuf.

2) In your pop3_response_parser() you are also looking for multiline
answers. However, according to RFC  1939, multi-line responses occur only
to certain commands and the authentication ones are not included in them:

"Responses to certain commands are multi-line.  In these cases, which
 are clearly indicated below, after sending the first line of the
 response and a CRLF, any additional lines are sent, each terminated
 by a CRLF pair."

In addition, the server greeting is one-line:

   "Once the TCP connection has been opened by a POP3 client, the POP3
    server issues a one line greeting.  This can be any positive
    response.  An example might be:"

Have you noticed any occurrences where the multi-line detection was needed?
If not, then we should not bother with that check.

3) Proper indentation:

* 80 char limit for line-wrap (OK)
* tabs converted to spaces (every tab is 2 spaces)
  in vim I usually do this:
  :set tabstop=2 shiftwidth=2 expandtab
  :%retab
* functions definitions should have the function name in the line after
  the returning variable (and any additional qualifiers like static)


4) It is possible for the server to respond with a -ERR for the USER
command indicating that the provided username is not valid.

"Possible Responses:
             +OK name is a valid mailbox
             -ERR never heard of mailbox name

         Examples:
             C: USER frated
             S: -ERR sorry, no mailbox for frated here
                ...
             C: USER mrose
             S: +OK mrose is a real hoopy frood"

In your code, you assume that any answer other than "+OK" is an indication
of a protocol error leading to the termination of the module. However we
should take into account the above possibility.


5) POP3 supports other methods of authentication like APOP. Have you
considered about a possible implementation of these in the module?

You can generally get a listing of the supported authentication types of
the server by issuing the CAPA (capabilities) command as noted by POP3
Extension Mechanism in RFC 2449. Note that for APOP specifically:

 "Note that there is no APOP capability, even though APOP is an
  optional command in [POP3].Clients discover server support of APOP by
  the presence in the greeting banner of an initial challenge enclosed
  in angle brackets ("<>")."


I have attached the revised (for points 1 and 3) ncrack_pop3.cc
Can you work on points 2 and 4 (and even better on 5 too)?
The ncrack_imap.cc should follow the same paradigm.

Cheers,
ithilgore

Attachment: ncrack_pop3.cc
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/